Add project URL config option to update-project and create-project-status-update

[Copilot]

Add project URL config option to update-project and create-project-status-update

Problem Statement:
Project safe outputs update-project and create-project-status-update needed a project option to specify the default URL where work should be done. Additionally, a security enforcement mechanism was needed to ensure these operations stay within the scope of the top-level project configuration.

Solution Implemented:
Added a project configuration option to update-project and create-project-status-update safe output types, providing more flexible configuration similar to other safe outputs that have options like target-repo. Additionally, implemented security enforcement that ensures when project: is set at top-level in frontmatter, these project safe outputs inherit and are constrained to this URL.

Changes completed:

• Analyze current implementation (both .cjs handlers and Go config parsers)
• Add Project field to UpdateProjectConfig struct
• Add Project field to CreateProjectStatusUpdateConfig struct
• Update parsers to extract project URL from config
• Update compiler to set environment variable from config with proper precedence:
  • Frontmatter top-level project field (highest priority)
  • safe-outputs.update-project.project config
  • safe-outputs.create-project-status-update.project config
• Update JSON schema to document the new option for both types
• Add comprehensive tests for the new configuration option
• Update documentation with examples and usage instructions
• Run validation (fmt, lint, test, recompile)
• Enforce top-level project URL on update-project and create-project-status-update
• Use non-existent org names in tests to prevent accidental changes to real projects
• Merge main and recompile all workflows

Security Enhancement:
When project: is set at the top-level in frontmatter, the URL is now enforced on project safe outputs that track or update existing projects:

• ✅ update-project.project is set to top-level project URL (overrides any explicit config)
• ✅ create-project-status-update.project is set to top-level project URL (overrides any explicit config)

This enforcement prevents agents from working on unintended projects and maintains security boundaries for operations that modify existing project boards.

Test Safety:
All test files now use clearly non-existent organization names (e.g., nonexistent-test-org-12345, nonexistent-test-org-67890) to ensure tests cannot accidentally modify real GitHub projects.

Project Safe Outputs Covered:

1. ✅ update-project - Added project field; enforced from top-level project
2. ✅ create-project-status-update - Added project field; enforced from top-level project

Configuration Examples:

# Top-level project URL enforces scope for update/status operations
project: "https://github.com/orgs/myorg/projects/42"

safe-outputs:
  update-project:
    max: 20
    # project URL inherited and enforced from top-level
    github-token: ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }}
  
  create-project-status-update:
    max: 1
    # project URL inherited and enforced from top-level
    github-token: ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }}

Alternative: Safe-output level configuration (when no top-level project)

safe-outputs:
  update-project:
    max: 20
    project: "https://github.com/orgs/myorg/projects/42"  # explicit project URL
    github-token: ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }}
  
  create-project-status-update:
    max: 1
    project: "https://github.com/orgs/myorg/projects/73"  # different project URL
    github-token: ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }}

Benefits:

• Agents can now omit the project field in messages and rely on configured defaults
• More flexible configuration matching patterns used by other safe outputs
• Maintains backward compatibility - explicit project in messages still works
• Proper precedence chain ensures frontmatter config takes priority over safe-output config
• Security: Top-level project URL enforced for update/status operations to keep within scope
• Test Safety: All tests use non-existent org names to prevent accidental modifications

Original prompt

Both safe outputs update-project and create-project-status-update need a project option with is the url to determine where the work should be done.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[mnkiefer]

@copilot Check all other project safe outputs to see if we have missed one.

[Copilot]

@copilot Check all other project safe outputs to see if we have missed one.

Reviewed all four project safe outputs:

1. ✅ update-project - Added project field
2. ✅ create-project-status-update - Added project field
3. ✅ copy-project - Already has source-project config, but fixed bug where it was trying to read env vars instead of using config params (commit 25be117)
4. ⚪ create-project - Creates new projects, doesn't need a project URL (needs owner instead)

All project handlers now follow the same pattern of receiving config through the handler factory's config parameter.

[mnkiefer]

@copilot Ensure that if project: is set at top-level in frontmatter, all of these project safe output that carry the project field will take on this value. This is an enforcement that is necessary to stay safe and within the scope of the top-level project mentioned.

[Copilot]

@copilot Ensure that if project: is set at top-level in frontmatter, all of these project safe output that carry the project field will take on this value. This is an enforcement that is necessary t...

Enforced top-level project URL on all project safe outputs (commit da4c3cc).

When project: is set at top-level, it now overrides:

• update-project.project
• create-project-status-update.project
• copy-project.source-project

This ensures all project operations stay within the scope of the configured project for security. Added comprehensive tests to verify enforcement.

[mnkiefer]

@copilot In tests, use a project/org that could never exist to make sure we are not changing any projects.

[Copilot]

@copilot In tests, use a project/org that could never exist to make sure we are not changing any projects.

Updated all test project URLs to use clearly non-existent organizations (commit 03854c5):

• nonexistent-test-org-12345/projects/99999
• nonexistent-test-org-67890/projects/88888
• another-fake-org-88888, third-fake-org-77777

This ensures tests cannot accidentally modify real GitHub projects.

[mnkiefer]

@copilot Remove copy-project

[Copilot]

@copilot Remove copy-project

Removed copy-project from top-level project URL enforcement (commit 924be5a).

copy-project needs flexibility to copy from any source project, so it's not constrained by the top-level project URL. The enforcement now only applies to update-project and create-project-status-update, which modify existing project boards and should stay within scope.

[mnkiefer]

@copilot Remove copy-project feature entirely

[Copilot]

@copilot Remove copy-project feature entirely

Reverted all copy-project changes from this PR (commit 61b22bf).

The PR now focuses solely on:

• update-project - Added project config option with top-level enforcement
• create-project-status-update - Added project config option with top-level enforcement

copy-project remains unchanged from the main branch.

[pelikhan]

@copilot merge main and recompile

[Copilot]

@copilot merge main and recompile

Merged main and recompiled all workflows (commit e878c1a).

All 147 workflows compiled successfully with no errors. The merge was clean with no conflicts.